Millions of './ANY/IN' queries denied
Reindl Harald
h.reindl at thelounge.net
Wed Dec 15 14:17:27 UTC 2021
Am 15.12.21 um 15:01 schrieb John Kristoff:
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>
> This might be dangerous. If someone spoofs a well formed UDP query
> that does what the above does and you block it, what if the spoofed
> source is something you don't want blocked? This doesn't happen often,
> but I've seen it happen and people have gotten badly burned by it
it's even an attack surface
nothing easier than forge udp queries to trigger fail2ban for whatever
IP the attacker wants
feed it with ISP and google resolvers to take your domains down for a
large part of the world
it's called "self-DOS" - "denial of service" don't need much resources,
it's enough when you are taking you down at your own
More information about the bind-users
mailing list